Unencrypted Backup Drive Containing 7 Years of PHI Stolen from Denton Heart Group

The danger of storing unencrypted protected health information has been highlighted by a recent security incident reported by Texas-based Denton Heart Group – A member of the Health Texas Provider Network.

A hard drive containing 7 years of EHR backup data was recently discovered to have been stolen. While the device was stored in a locked closet, the data on the device were not encrypted. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 21,665 individuals were impacted by the breach.

The theft was discovered by the medical group on January 11, 2017 although the device was believed to have been stolen on or around December 29, 2017.

All eligible individuals affected by the incident will be offered credit monitoring and identity theft protection services through Experian, although no reports of misuse of the stored data have been received.

To prevent future incidents, Denton Heart Group is re-evaluating the security of computer devices used by its clinics, although it is unclear whether the theft will prompt the medical group to encrypt its backups in the future.

20% of Healthcare Organizations Do Not Use Encryption

Two reports were published last month that showed how the healthcare industry in the United States lags behind other industry sectors when it comes to data encryption.

The 2017 Thales Data Threat Report for the Healthcare Industry indicates only 65% of healthcare organizations in the United States encrypt backup data stored in the cloud. A study by HyTrust indicates 25% of healthcare organizations are using cloud services but are not encrypting cloud data.

Even though healthcare organizations are increasing security budgets, the industry still has one of the lowest data encryption adoption rates. Last year, Sophos conducted a survey that showed only 31% of healthcare organizations were extensively using encryption to protect sensitive data – The lowest percentage of all industries surveyed. Encryption was used to some degree by a further 49% of healthcare organizations, although 20% of surveyed organizations were not using encryption at all. Only the retail sector scored lower with 23% of retailers opting not to use encryption.

The lack of encryption leaves healthcare organizations particularly vulnerable to data breaches. According to OCR figures, since January 1, 2014, there have been 182 hacking incidents reported. Those incidents resulted in the theft/exposure of 125,994,157 healthcare records. There have also been 249 cases of lost or stolen equipment containing PHI. Those incidents impacted 8,902,225 individuals.

Given the extent to which healthcare organizations are now being targeted by cybercriminals and the huge numbers of healthcare records exposed or stolen as a result of hacks and lost and stolen devices, any healthcare organization that is not encrypting PHI is taking a huge risk.

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

HIPAA

Compliance

Guide

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.